5.4 Installing the User Application

After you have created the User Application driver, you install the Identity Manager User Application.

5.4.1 About the Installation Program

The Novell Identity Manager User Application is a Java Web Application Archive (WAR) file that is deployed to the JBoss application server. It uses a database (MySQL by default) to store configuration information. Depending on the type of installation you choose, the User Application installation program does the following also:

  • Installs JBoss or lets you specify an existing version of JBoss

  • Installs MySQL or lets you specify an existing version of MySQL, Oracle or Microsoft SQL Server 2000.

  • Configures the JRE’s certificates file so that the User Application (running on JBoss) can securely communicate with the Identity Vault and the User Application Driver.

  • Configures and deploys the WAR file to the JBoss application server.

  • Enables Novell Audit logging.

Installation Scripts and Executables

To install the Novell Identity Manager User Application, you need the following files:

File

Description

Linux platforms:

  • IdmUserApp.bin

Windows platforms:

  • IdmUserApp.exe

Launches the installation program.

User Application WAR

IDM.war: Includes the Identity Manager 3 User Application with Identity Self-Service features.

IDMProv.war: Installs the Provisioning Module for Identity Manager 3.

HINT:Make sure to stop any other versions of MySQL on the install machine. If you have other versions running during the install, the installer will not start a new MySQL server and will not create a new database.

To launch the installer:

  1. Obtain the appropriate installation files described in Installation Scripts and Executables.

  2. Launch the program for your platform as described below:

    Platform

    Action

    Linux

    1. Log in as a non-root account and open a terminal session.

      You must be logged into your Linux machine as a user other than root. If you are already logged in as root, log out and then log back in as another user. Do not simply “su” to another account in a terminal session, because the graphics state will not transfer to the other account. (We also do not recommend “sux.”)

    2. Execute the following command at the console:

      ./IdmUserApp.bin

    The script unpacks a Java Runtime Environment (JRE) and launches a Zero-G installer application.

    Windows

    On Windows, double-click the IdmUserApp.exe file found in the \NT directory.

  3. Read the license agreement, then click I accept the terms of the License Agreement.

  4. Click Next in the Introduction page of the install wizard.

    Choose the install set

  5. Choose your install set, then click Next.

    Install Option

    What It Does

    Default

    Installs and configures the following:

    • IDM user application WAR

    • JBoss: Installs a JBoss application server or configures an existing one. For new application servers, it:

      • Creates a server configuration whose name is the name you supply in the Application Name field (specified during the installation procedure). The configuration is based on the Default or All configuration.

      • Creates scripts for starting and stopping the server.

    • MySQL: Installs MySQL or configures an existing MySQL database. For new MySQL installations, it creates scripts for starting and stopping the database server.

    Custom:

    IDM User Application

    • Installs the IDM User Application and allows you to specify an existing database and JBoss server. Supported database types are MySQL, Oracle9i, Oracle10g, and Microsoft SQL Server 2000.

    JBoss

    • Install a JBoss application server or allows you to select an existing JBoss application server to use. When it installs a new application server, this option does two things:

      • Creates a server configuration whose name is the name you supply in the Application Name field (specified during the installation procedure). The configuration is based on the Default or All configuration.

      • Creates scripts for starting and stopping it.

    MySQL

    • Installs MySQL. It does not create scripts for starting and stopping (unlike the default option.)

  6. Follow the instructions for your installation type:

    Installation Type

    Action

    Default install

    Go to:

    Custom:JBoss

    Go to:

    Custom: MySQL

    Go to:

    Custom: IDM User Application

    Go to:

5.4.2 Selecting an Install Folder

  1. Complete selections on the following page:

    Choosing the install folder

    NOTE:On Linux, if you see /root anywhere in the path, cancel the installation and log in again as a non-root user.

  2. Click Next.

    If you chose:

5.4.3 Specifying MySQL Details

  1. Complete selections in the following page:

    Setting the base folder

    Field

    Description

    Base folder

    Specify the location where you want the installer to create a new MySQL database.

    Database name

    Specify the name of the database you want the installer to create.

    MySQL’s root user password

    Enter the database password used for the MySQL database root user.

    This is not the same as your Linux root user account password. The IdmUserApp installer creates a new installation of MySQL on your machine, and in the process of doing that, it creates a database root account. You are specifying the password for the MySQL account.

  2. Click Next to access the page for Section 5.4.4, Specifying the Database Host and Port.

5.4.4 Specifying the Database Host and Port

  1. Complete selections on the following page:

    Host and port information

    Field

    Description

    Host

    Specify the database server’s host name or IP address

    Port

    Specify the database’s listener port number.

    The default for MySQL is 63306.

  2. Click Next.

    If you chose:

5.4.5 Specifying the JBoss Server Settings

  1. Complete selections on the following page:

    JBoss server settings

    Field

    Description

    Base folder

    Specify the location where you want the installer to create a new JBoss database.

    Host

    Specify the application server’s host name or IP address.

    Port

    Specify the JBoss listener port number. The default is 8080.

  2. Click Next. If you chose:

5.4.6 Selecting the JBoss Server Configuration Type

  1. Complete selections on the following page:

    JBoss server configuration type

    Option

    Description

    Single (default) or clustering (all)

    Choose the type of JBoss server configuration (All for clustering, Default otherwise)

    The installation script creates a server configuration based on the server base you select. The configuration name is the same name as the Application Name you specify next.

    Application name

    Specify the User Application context name. This name is part of the URL used to access the User Application.

  2. Click Next. If you chose:

5.4.7 Enabling Novell Audit Logging

To enable Novell Audit logging for the User Application:

  1. Complete selections on the following page:

    Installing a configuration file

    Field

    Description

    On

    Enables Novell Audit Logging for the User Application.

    For more information on setting up Novell Audit logging, see the Identity Manager User Application: Administration Guide.

    Off

    Disables Novell Audit Logging for the User Application. You can enable it later using the Administration tab of the User Application.

    For more information on enabling Novell Audit logging, see the Identity Manager User Application: Administration Guide.

    Server

    Specify the host name or IP address for the Novell Audit server.

  2. Click Next, then continue with Section 5.4.8, Configuring the User Application.

5.4.8 Configuring the User Application

There are two pages for this configuration. One page lets you provide basic configuration information; the other is for advanced users and lets you configure additional parameters.

  1. Complete selections on the following page:

    Configuring the User Application screen

    Field

    Description

    LDAP Host

    Required. Specify the host name or IP address for your LDAP server and it’s secure port. For example: 

    myLDAPhost:636

    LDAP Administrator and password

    Required. Specify the credentials for the LDAP administrator. This user must already exist. The User Application uses this account to make an administrative connection to the Identity Vault.

    Root Container DN

    Required. Specify the LDAP distinguished name of the root container. This is used as the default entity definition search root when no search root is specified in the directory abstraction layer.

    Provisioning Driver DN

    Required. Specify the distinguished name of the User Application Driver that you created earlier in the section on Section 5.3, Creating the User Application Driver. For example, if your driver is UserApplicationDriver and your driver set is called myDriverSet, and the driver set is in a context of o=myCompany, you would enter a value of:

    cn=UserApplicationDriver,cn=myDriverSet,o=myCompany

    User Application Administrator

    Required. An existing user in the Identity Vault that has the authority to perform any administrative task in the Identity Vault.

    This user can:

    • Use the Administration tab of the User Application

    • Use iManager to administer workflow tasks

    • Create new provisioning requests

    User Container DN

    Required. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the user container.

    This defines the search scope for users and groups.

    Users in this container (and under) are allowed to log in to the User Application.

    IMPORTANT:Be sure the User Application Administrator specified during User Application Driver setup exists in this container if you want that user to be able to execute workflows.

    Group Container DN

    Required. Specify the LDAP distinguished name (DN) or fully qualified LDAP name of the group container.

    Used by entity definitions within the directory abstraction layer.

    Keystore Path

    Required. Specify the full path to your keystore (cacerts) file of the JRE that the JBoss application server is using to run or else click the small browser button and navigate to (and select) your cacerts file in the /idm/jre/lib/security/ path).

    The utility must have permission to write to this file.

    Keystore Password/Confirm Keystore Password

    Required. Specify the cacerts password. The default is changeit.

    Email Notify Host

    Specify the JBoss server hosting the Identity Manager User Application. For example:

    myJBossServer

    This value replaces the $HOST$ token in e-mail templates. The URL that gets constructed is the link to provisioning request tasks and approval notifications.

    Email Notify Port

    Used to replace the $PORT$ token in e-mail templates used in provisioning request tasks and approval notifications.

    Email Notify Secure Port

    Used to replace the $SECURE_PORT$ token in e-mail templates used in provisioning request tasks and approval notifications.

  2. (Optional) Click Show Advanced Options. Complete selections on the following page:

    User Application configuration page

    Field

    Description

    Connection Timeout (millis)

    Time to wait (in milliseconds) for a user connection to the LDAP server before timing out.

    Provider referrals

    This property is sent from JNDI application to the LDAP server to indicate how to handle referrals. Valid values are Ignore, Follow, and Throw.

    Deference Aliases

    This attribute contains entries returned from the LDAP operation whether they are deferenced (true path) or not deferenced (alias). Valid values are Never, Always, Finding, and Searching.

    User Object class

    The LDAP user object class (typically inetOrgPerson).

    Login Attribute

    The attribute (such as CN) that represents the user’s login name.

    User membership attribute

    Optional. The attribute that represents the user’s group membership. No spaces allowed.

    Group Object Class

    The LDAP group object class.

    Group Membership Attribute

    The attribute representing the user’s group membership. Do not use spaces in this name.

    Use Dynamic groups

    Select this option if you want to use dynamic groups.

    Dynamic Group Object Class

    The LDAP dynamic group object class.

    ICS Logout Enabled

    If this option is selected, the application supports User Application and iChain® simultaneous logout.

    ICS Logout Page

    The URL to the iChain logout page.

    Email Notify Protocol

    Specify one of these values:

    • HTTP

    • HTTPS

    Used to replace the $PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.

    Email Notify Secure Protocol

    Used to replace the $SECURE_PROTOCOL$ token in e-mail templates used in provisioning request tasks and approval notifications.

    Session Timeout

    Specify the number of minutes that user sessions can be inactive. By default, the user application times out of a session after 20 minutes.

    DataSource

    Specify the JNDI name of your connection pool. By default, the connection pool JNDI name is java:/IDM.

    Add a New Container Object

    Enter the LDAP name of an object class that can serve as a container.

    NOTE:To modify these values after completing the install, run the configupdate.sh script (on Linux) or the configupdate.bat file (on Windows). These files are located in your installation subdirectory. The update utility can connect to eDirectory using SSL if you use the -use_ssl parameter at startup. Otherwise, it connects to eDirectory in non-SSL mode.

  3. Click OK.

  4. Review the Pre-Installation Summary page. If everything is correct, click Install to proceed with the installation.

  5. Click Done when the installation completes.

  6. Open the Readme file in the install directory.

  7. Go to Section 5.4.11, Post-Install Tasks.

5.4.9 Choosing a Database Platform

  1. Complete selections on the following page:

    Select the database platform

  2. Select the database platform. Depending on your choice, follow the configuration steps in the table below:

    Database

    Description and Configuration Details

    MySQL

    For a remote MySQL environment, create a database of the name you specified in the Section 5.4.3, Specifying MySQL Details.

    HINT:The installer creates the JBoss data source file for you with the name of the User Application WAR file.

    Oracle

    To use Oracle databases with the User Application:

    1. Create a database on your Oracle instance (make sure the name is the same as the one you specify in Section 5.4.10, Specifying the Database Name and Privileged User.)

    2. Download the ojdbc14.jar driver from Oracle’s download site and copy to /idm/jboss/server/<server-name>/lib

    HINT:The installer creates the JBoss data source file for you with the name of the User Application WAR file.

    MS SQL

    To use MS SQL databases with the User Application:

    1. Create a database on your MS SQL instance (make sure the name is the same as the one you specify in Section 5.4.10, Specifying the Database Name and Privileged User).

    2. Download MS SQL JDBC drivers (msbase.jar, mssqlserver.jar and msutil.jar) from the Microsoft download site and copy them to /idm/jboss/server/<server-name>/lib

    3. Create your JBoss data source file pointing to this database.

    HINT:The installer creates the JBoss data source file for you with the name of the User Application WAR file.

  3. Click Next, then continue with Section 5.4.4, Specifying the Database Host and Port.

5.4.10 Specifying the Database Name and Privileged User

  1. Complete selections on the following page:

    Specify the database name and privileged user

    Field

    Description

    Database name (or sid)

    Specify the name of the database you want to store the User Application configuration information.

    Database user

    Specify the database root user.

    Database password/Confirm password

    Specify the database root password.

  2. Click Next, then continue with Section 5.4.5, Specifying the JBoss Server Settings.

5.4.11 Post-Install Tasks

The Forgot Password and Workflow e-mail notifications capabilities require that you do the following post-installation tasks:

  1. In iManager, select the Passwords Role.

  2. Under Passwords, select Email Server Options.

  3. Provide your SMTP server name in the Host Name field.

  4. In the From field, specify an e-mail address (for example, noreply@novell.com), then click OK.

5.4.12 Testing the Install

To verify that the installation went correctly, complete the remaining steps outlined in the Section 5.2, Installation and Configuration. If the Identity Manager User Application page does not appear in your browser after completing these steps, check the terminal console for error messages relating to MySQL, JBoss, and the User Application, and see Section 5.5, Troubleshooting.